Synology disconnect ldap

rmac · July 12, 2021, 7:00am

Hi
I have UCS running fine on a proxmox server.
Straight out of the box the synology ldap connects and the ucs ad works a treat!
Though to get the log in from windows I need to install Active Directory-compatible Domain Controller and as soon as I do that I loose my connection from the synology and cannot connect back to it.

Has this got to do with the ldap ports being used for samba? And therefor unavailable?

If I uninstall Active Directory-compatible Domain Controller the synology connects back to the ldap server fine.

Could someone please help me get this working?
Thank you!
R

fbartels · July 12, 2021, 9:12am

Hi @rmac,

regardless if the samba4 ad is installed the Univention LDAP is always configured to also listen on the port 7389 and 7636. Whenever you integrate something with the UCS LDAP I would recommend to use these ports instead.

rmac · July 13, 2021, 1:49am

Hi @fbartels thanks for the response! Do you know what could be causing the issue on the synology dsm side? I’ve changed the services to run on port 7389 and 7636. All services seem happy and running but it gives me a permissions error which in the log on the synology say’s it can’t connect to ldap server.

I totally understand that this is probably more of a synology question but their support just says you can’t change it. Though because its working before the install of samba4 ad there must be a way!

fbartels · July 13, 2021, 6:15am

Which issue exactly? The leading system internally is OpenLDAP on UCS and a filtered list of attributes is replicated between OpenLDAP and the Samba AD. Therefore its always better to talk to the direct source, especially of you may require additional attributes to be set or set them yourself.

As for the permission error that is hard to say with the given information. For my own setup I am running a container with stunnel on the Synology directly. I did this because back when I set it up I found no reliable way to import the UCS CA into Synology, but I needed it to trust the ldaps connection. The stunnel container exposes my UCS LDAP on a plain ldap port on the localhost interface.

talleyrand · January 3, 2022, 5:15am

There are several issues.
not least of which is that the synology WILL NOT synchronize correctly with the univention 4.x or 5.x
it makes the AD connection correctly, but it is just nonsense… in that most of your users will be missing.

there have been reports of anything from 5-19 users showing up, but the rest are missing.

you can issue the following from the synology terminal:

sudo net ads synodb user -P; net ads synodb group -P;

this will then FULLY pull in all your users & groups, but must be run everytime you make a change.

Better NOT purchase synology, they have gone down hill recently and just will nto support on this.
you will find the thread here:

//community.synology.com/enu/forum/1/post/142636

nliaudat · March 28, 2022, 2:30pm

For archive : same as in https://help.univention.com/t/ldap-connection-synology-and-ucs/18079/2
In fact, the net ads synodb user -P do not sync users extended attributes like userAccountControl, accountExpires, etc cause the -P means use the machine account and this is a very unprivileged user. That involves a false status in users list.

The right command is :

net ads synodb user -U user%password; 
net ads synodb group -P;

The “user” must be in “Account operators” group.